Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

willdavid writes to tell us InformationWeek is reporting that McAfee, in their annual report, has warned investors that "ambiguous" open source licenses "may result in unanticipated obligations regarding [McAfee] products." "McAfee said it's particularly troubling that the legality of terms included in the GNU/General Public License -- the most widely used open source license -- have yet to be tested in court. 'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission. Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software's source code to end users or customers. Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering."

Yes. And to correct the article, they aren't really worried about having to release code may "leave... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

Yes. And to correct the article, they aren't really worried about having to release code may "leave... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

I would suspect that it would be easier to run automated programs for finding buffer over-runs, etc, rather than phishing through thousands of lines of code looking for a non-obvious vulnerability (anybody who has ever coded knows that ALL coding mistakes are non-obvious... as soon as they press the compile button:P).

By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer.

Refactoring isn't just "any random change of the code".Refactoring means modifications of the code that are not supposed to alter its functionality. Things like renaming variables or moving code or data from one place to another.

I re-factor a lot of code, much of it I did not write (but sometimes its my old code where I didn't get it perfect or account for future developments).Semantic transformations of code that do not alter functionality allow you to remain relatively sure that you are not breaking anyt

By their logic it would be trivial to hack into a Linux computer because it is open-source, and next to impossible to hack into a Microsoft computer.

That's what I gleaned from the headline. According to McAfee's logic, if the source is open it means it is less secure. I suppose they've never had the benefit of thousands of friendly eyes pouring over their code in the hopes of helping them improve their code.

I'm of the belief that there are more people wanting to do good than bad. Of course, McAfee probably can only see the attacks they receive on their product by the nefarious trying to bypass their systems. From all that I can tell, McAfee is the Gateway (computers) of the AV world, it's useful if you aren't too worried about quality.

/sorry, early in the morning. thoughts may be incomplete and incoherent.

Yes. And to correct the article, they aren't really worried about having to release code may "leave... products open to tampering", but rather, people might find blatantly obvious bugs or omissions with how they "protect" your computer. And then profit from it, either by writing rootkits or whatever that bypass their "protection" or by sueing them when they are infected by these rootkits.

They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community.

I asure you, my friend, that this is not only the case in the USA. The Europe (that's where I'm located) is not much better either. Corporate behaviour ESPECIALLY (but not only) with respect to open source and GPL, is plain disgusting.

I'm all for profit, after all that means my paycheck is secured and will grow, but if it's achieved by almost-criminal means, I don't need it. Otherwise, why don't we all just start selling crack? That's where the really big money is, after all.

"They have a very simple solution, then, don't they? Do their own graft, write their own damn software, and stop freeloading off the community."Your understanding of the issues involved seems pretty close to zero. They are not "freeloading off the community", they are supporting Linux.

The problem is simply that in order to write software that interacts with Linux at the low level they need to interact, they need to use code that defines how Linux processes some things internally. There is no choice -- to su

The article talks more about lawsuits regarding GPL license violations than it does about security issues.

Much security software is already open-source: encryption, firewall, virus scan, etc. The fact is that there is no inherent security problem with GPL software. McAfee just appears to have a problem with the licensing.

Yes it seems like they would like to have their open source cake and eat it too.

I have been reading a fair bit of legal analysis (IANAL) relating to the GPL v2 and have been discussing various ambiguities relating to the GPL v3 with people at the SFLC. These licenses *do* have some ambiguities (though I think they are less of an issue for the GPL v2).The major issue for the GPL v2 is that it is not 100% clear where the boundary relating to mere aggregation is. In general it is easy to read "a work based on the original work" meaning derivative work (i.e. a transformation or adaption

No, they are worried that if governments begin using "infected"[*] open source products, they [McAfee] might be forced to support those open source products. And they are afraid that their code will be contaminated by the GPL *license* (note: not code).

Let me put it another way..1. You create a program for counting beans, it's written for Microsoft Windows2. 40% of your important customers (government) switches to Linux3. Because you want to keep you clients, you port your application to Linux.In order to get access to the proper low-level interfaces (that you imagine you need for your bean counter), you start writing some kernel support functions.4. You deliever your application to your government. You are happy, the government is happy.5. One day, someone posts a "Company X are in violation of the GPL!" to Slashdot -- and all hell breaks loose. Your lawers tell you that "Yes, we have to open source all our products, because they have all been contaminated by the GPL, becase we touched the linux kernel source (which is GPL)!".6. You shut down your business, and live on welfare for the rest of your life.

The only thing which has happened here is that McAfee has proclaimed that GPL is viral (it infects innocent suspects' code).

I suspect that McAfee has been offered a Great Deal by someone, in exchange for publicly stating that the GPL is viral.

And no, I don't believe they are using GPL code. That's not what this is about. They are afraid of their (important) customers demanding McAfee support GPL products.

You post doesn't make sense - or maybe I'm not following you? Anyone can write a Linux application and use any license they like (or stated another way, quite a few Linux applications are proprietary - the proprietary Flash plugin, for instance). McAfee wouldn't need to release their product under the GPL just to run it on Linux.

And if they want to write a kernel support function that compiles with Linux and is also part of their product, they can dual-license (GPL when it's compiled with Linux, proprietary when part of their product). As long as they hold copyright, they aren't limited at all.

What they seem to be saying is that they compile code written by someone else and released under only the GPL in their products. They can't change the license on code on which someone else holds copyright, so they are distributing that code in violation of the license (or, more precisely, in violation of copyright). Either they must "cure" the violation (e.g., by releasing their source code or replacing the GPL'd code), or acquire a commercial license from the copyright holder (if available).

If you mess with kernel support functions you have to use the GPL because the Linux kernel is GPL'd. That is what the GP's post is about.

Wrong

If you link against the Linux kernel (or part of it), then you have to use GPL. Very few programs do this. Even kernel modules do not have to do this, provided they use the correct API.

If you copy code from the Linux kernel, then you have to use the GPL. Incidentally, this applies even if you don't copy verbatim - if you copy the structure and then change variable and function names, you still have to use GPL.

But if you have a piece of code which you wrote in its entirety, and which is only linked against the Linux kernel when on Linux, then it only has to be GPL'd when actually linked to the Linux kernel. The version you ship on Windows or Mac OS X can be licensed any way you like.

Anyone who tells you different is just spreading FUD. Version Two [gnu.org] of the GPL is a very simple document and is easy to read. It means just what it says, there's nothing complex behind it. Version Three [gnu.org] is a little more prolix, but it still means just what it says. Go read it yourself; don't listen to people who are trying to mislead you.

I still don't buy the argument that linking against something that is built to be linked against makes your product a derived work under copyright law. I know that this is the FSF's position's and Stallman's, but I don't know if it's ever going to stand up when tested.

I can see one thing they'd want to add to the kernel for "on-demand" scanning, it would be an interface to get information about new files, or be able to snoop on file writes or something. Nevermind that it probably already exists (/[id]notify/), they would just need to publish under the GPL the tiny part that is to reside in the kernel and its interfaces. Just like you can implement a proprietary filesystem through Fuse if you want, there would be no GPL requirement on the userland part of the software.

Something like inotify doesn't cut it for a virus scanner, since it needs to intercept read / write calls to be able to scan the files before the data is read. Something like systrace on {Net,Open}BSD could do it, but there is a known security vulnerability in that entire approach (which also affects virus scanners on other platforms).

And that would be a sensible way to implement a Caged virus-checker: as a Caged module for Fuse, implementing its own filesystem with built-in virus checking.

On the other hand, the Unix security model inherited by Linux includes permissions (which make it much less likely for things to get executed that should not get executed) and ownerships (which make it less likely for things to get modified that should not get modified). Sensible default behaviours (for example, not running as root except when

See, I'm no expert but I would think that nVidia's graphics drivers would also 'need to much about at kernel level', and they do not use the GPL. I've heard they have a little LGPL bit that connects the kernel and their driver or something like that.

The GPL must be attached to any "derived works" of the Linux kernel. I.e. if you write a module for the Linux kernel it must be GPLed. However, nVidia did not do this - they wrote their driver for Windows. They then took the Windows driver and wrote a GPLed i

Considering that the GPL only comes into play when you DISTRIBUTE the code in question, the NVidia driver's beenpretty much something of a non-issue.You can't legally distribute to someone an install done this way, or provide an installation that ships directly with the NVidiadrivers, but you can ship a Linux install that can make it easy for someone and you can always turn it off/remove the offendingbinary blob when you hand someone a machine you've been using the driver on. Since usage is not controlle

GPL code does not "infect innocent suspects' code"...If you choose to use GPL code in your product, then you must agree to the terms under which you are permitted to do so. These companies cross license code between each other all the time with a plethora of different licensing requirements. For example Microsoft will license a lot of code to you, such as wma/wmv codecs and drm, under the condition that you pay them for each copy you distribute as part of one of your products.The only difference with the GPL is the requirements which you must abide by in order to distribute. Don't like the terms? Then write your own, or license code from somewhere else under different terms, or merely change the way you use the GPL code so that compliance no longer bothers you.

All this garbage about "releasing the source makes our products less secure" is ridiculous... Open source software has a very good track record when it comes to security, just look at OpenBSD for instance, and then you have apps like qmail for which the source has been available for years without huge numbers of holes. And Solaris hasn't suddenly seen a rash of new vulnerabilities since being open sourced.If code is well written, it doesn't matter who can see the source code. If it's poorly written you can understand why someone wouldn't want to be embarrassed by it's release, but if it's full of holes people will still reverse engineer the binaries to find them.

5. One day, someone posts a "Company X are in violation of the GPL!" to Slashdot -- and all hell breaks loose. Your lawers tell you that "Yes, we have to open source all our products, because they have all been contaminated by the GPL, becase we touched the linux kernel source (which is GPL)!".6. You shut down your business, and live on welfare for the rest of your life.

Well lets see. If it is GPL software involved you have a choice. Either you release the source code and maybe you shut down your business /

They aren't worried. This is typical of a "full disclosure" of risks that companies give to their investors. They imagine everything that could possibly go wrong, and tell that to the people whose money they took, to cover their asses in case it does go wrong. It doesn't mean they think it will go wrong, any more than Ford thinks you will believe the objects in the mirror are as far away as they appear, or the Coppertone people think you will take their sunscreen internally. They're just covering their

McAfee frequently cautions other companies about the latest bugs and computer viruses, but the security software maker is now warning that its own business could be in jeopardy -- not from some form of malware but from the fact that its products rely heavily on open source software.

Reporting error from the article writer or straight from the horse's mouth that McAfee been violating the GPL?

Don't want to be bound to the terms of the GPL? Don't use GPL code!
Just another piece of FUD.

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Hell, it could be a relatively honest mistake like confusing a GPL'd lib for a LGPL'd lib. A GPL related lawsuit would be an appropriate item in the risks section of an SEC filing.

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own.

Then when that's identified, they have to remove the code, if necessary pulling the product. Or comply with whatever license the copyright holder is prepared to grant them. This is EXACTLY the same position as if the lazy programmer had infringed on a previous employer's code, or on leaked Microsoft code or... any other copyright infringement at all.

Their best bet is to tighten up on their recruitment and code review processes. That would certainly beat complaining that it MAY turn out that some of their employees may be breaking various laws and that if they are then the victims may be gosh darned unreasonable about it.

You are seriously mistaken. You are assuming that it is company policy to inappropriately incorporate GPL'd code. It may be against policy but a programmer may get lazy and do it on his own. Hell, it could be a relatively honest mistake like confusing a GPL'd lib for a LGPL'd lib. A GPL related lawsuit would be an appropriate item in the risks section of an SEC filing.

If you don't have sufficient code review processes in place, and you don't know where your employees are copying code from, that's very much your problem. McAfee may be that unprofessional, but if they are they deserve everything that's coming to them.

Can be tricky, if you have a bunch of young programmers hacking on a closed source codebase and they don't care about these things. You need to educate your programmers about licencing issues and have a monitoring process of your codebase that can identify blatant violations of your licensing policy. Otherwise your codebase will end up depending on GPL libraries or include verbatim copies ("look, ma, what I found on the Internet") of GPL code. If you ever ship a release with such code, be prepared of the wh

And how is that any different from them copying an example program out of a copyrighted textbook with a notice inside the front cover to the effect that use of code examples in a commercial application requires permission from the author?

If you don't want to end up in court for copyright violation, don't violate copyright.

The difference is the ease of use. It's just so incredibly easy for stupid programmers to copy code off the Iternet and introduce that into your proprietary codebase. I don't blame the GPL. I blame the bad education of the people.

there is no free lunch. these manufacturers are seeing the "gold mine" open source software as a way to do less work. Well, you've got to comply with the terms of the license if you distribute it. no 2 ways about it.

What if, instead of distributing GPL software with your app/hw, you had your installation software download the same GPL software onto the box from the internet. Would you be violating the GPL in any way?

Let's put a couple of caveats...1. Your sw/hw can work without the GPL stuff, even if in a very limited manner.2. You make the user press the button to download the GPL stuff.

When you link a GPL work against a non-GPL work, you create a derivative work. As long as you are authorised to possess both works, the derivative work you create is initially permitted by the Law of the Land, as Fair Dealing (Fair Use in some jurisdictions), and any apparent prohibition in the licence terms is unenforcible precisely because a promise not to do something the Law of the Land already says you can do is worthless.

However, the terms of both licences now apply to the derivative work as a whole. If the restrictive licence said "You must not distribute the Source Code to others", that would conflict with the GPL's requirement to distribute the Source Code. Therefore, the only way you can comply with both licences at once is not to distribute the software at all (aka "Liberty or Death").

The key point is, you don't need a licence to create that Derivative Work. You need one to distribute it. None of which would be an issue, by the way, if software vendors just distributed the frigging Source Code already.

Do you guys have a clue as to what goes into the risks section of an SEC filing? Pretty much anything conceivable. That way if it happens it is harder to get sued by an ambulance chasing lawyer who found *one* unhappy shareholder and filed a class action suit. So if you are a publicly traded company you probably should have a risk enumerated that a programmer will violate policy and inappropriately incorporate GPL'd code.

Yeah, but do you have a clue as to what goes into the comments section of a
slashdot story? Pretty much anything conceivable. That way, people can try out their favourite rants and arguments as long as it's roughly on topic:)

Sounds to me like that is just an excuse; I think it is fairly likely they are just trying to stir up trouble for FOSS community with SEC. They have a lot at stake if you think about it. AV companies' prime source of revenue is MS and it's adoption is declining while *nix -based systems' are increasing. They have little experience with *nix software probably and know most people won't see much need for a *nix AV solution and there are several to compete with already.

I could be wrong but seems like this and similar complaints about FOSS are from entities with self-serving interests rather than interests of society/world at large. A lot of it is just FUD hoping to encourage paranoia in businesses and slow FOSS adoption

Nah, I would guess it more likely has to do with the various McAfee appliances (i.e. Messaging or Web Security [mcafee.com]). They could be using GPL code (such as a modified kernel and TCP/IP stack, or portions of some other OSS package).

And stupid to boot. As another poster wrote, it is likely to be about a modified IP stack for their internet-oriented products.There is still BSD, whose license allows that copying into closed source products. IIRC you have to give credit somewhere in the documentation, but that is a small price for legally getting free code.

> [...] that any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

No. The conditions are still subject toa) common law
Extreme example: you can't demand the firstborn for the use or distribution of the work.b) interpretation by court
The legal meaning is finally determined by judges.

Copyright law is well tested in court, and so is Licensing law, and so is Contract law. However, the various F/OSS licenses meld the three different kinds of law together in a new way, and this melding isn't yet tested in court.

any conditions imposed regarding distribution of a copyrighted work is at the whim of the copyright holder.

A copyright holder can't impose conditions on the distribution of his work on a whim - either th

They are rather concerned about this since the stock GPL could well "contaminate" the rest of their codebase, requiring them to release the some or all of the products for the GPL'd code in question. The GPL has occasionally been nicknamed the "General Public Virus" for this reason. This leaves them vulnerable, and lets just about anyone use the source code for whatever purposes they desire, 99% of which will not involve paying McAfee one cent.

"Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering"

Uh, that's the very idea of the GPL. It lets people who bought the product use it in any way they see fit, which includes "tamnpering" with it. It even allows you to redistribute it. The only thing it prevents is redistribution under a different license without permission. Didn't anyone give McAfee the memo?

'Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,' McAfee said in the report filed last month with the Securities and Exchange Commission.

> When all software out there is Open Source, leaks will be found and closed.

When all software is open source, there will be so much of it that the scope for virus infection is wider and products that monitor system calls and does intrusion detection will have more market.

McAffee's real problem is that Windows gets more and more locked down and fine grained capability permissions are being applied. The days of the blanket anti-virus product are numbered in the business world balanced against the rise of the dedicated software administrator.

When all software out there is Open Source, leaks will be found and closed.

Right, because of course Free software never has security bugs [redhat.com]. Look, I'm a paid-up card-carrying member of the FSF, which makes me about as much of a swivel-eyed zealot as they come, but even we don't make silly claims like that.

.... to criminalize such fud, but there are laws against slander and libel. Perhaps teh FSF and EFF should take action.

However the real issues here is not exposing this FUD to those who know better but to those who don't.So sue to force such FUD spreading companies to undo the FUD they spread by the same means and extent they used to spread it.

There is nothing "ambiguous" about the GPL, at least not on the context presented.Both cases, "security by obscurity" and "keep part of the program proprietary" are simple no goes with regard to the GPL.

What "ambiguous" it really means is that some companies hope they can get away with ignoring the GPL, either directly or by finding some legal loophole.

McAfee correct that either strategy put the company at risk. Just as it puts the company to risk to ignore or circomvent the license of any proprietary soft

What McAfee needs to do is tell someone who really cares. McAfee was one of the original anti virus companies who's software was free to the home user and cost only a modestest fee for the corporate user. Also, there product was of a higher quality than most of the others on the market, was updated frequently and non intrusive but all that changed after incorporation in 1992 when they started to follow the Microsoft style of marketing.

Some manufacturers have voiced concerns that the requirement could leave important security or copyright protection features in their products open to tampering.

Translation: "Some manufacturers have voiced concerns that the requirement could leave important user-restriction features or copyright fair-use prevention features in their products open to rightful destruction."

They fail to grasp the most important aspect of GPL: every end-user is also the master of said software; it is not up to anyone else to decide what he can and can't do. Features which keep the end-user out are not part of (publicly distributed) GPL software, period.

My guess is that this warning has arisen from the use of kernel hooks to provide on-demand scanning. I read somewhere that McAfee modifies the Windows kernel to intercept among others file access calls. They might want to do the same for Linux, which would subject the code that provides those hooks to the GPL. It may be the case that McAfee thinks that this code must be secret to ensure the security of their product, and that could be why they are so afraid of the GPL.

It already exists, it's called Dazuko [dazuko.org]. It's licensed under the GPL for the Linux kernel, and BSD license for FreeBSD. But the Linux kernel license makes it quite clear that making system calls from user space (essentially all kernel extensions like this just provide extra syscalls and ioctls) does not constitute a derivative work so far as the GPL is concerned. Otherwise any piece of proprietary software running on Linux would be necessarily screwed.

Fuck McAfee. Their anti-virus and security products suck anyway; buying a prebuilt machine that comes with this crap on it is about as bad as the ones which come with Norton...I have never met anyone who has worked with windows machines a lot who doesn't dislike both of these products.It's not so much that they aren't secure enough for various reasons, it's that they impose such an overhead on your machine, occasionally can be difficult to remove, install so much crap, and really impact the user experience

A company unable to understand a license is probably not good enough to protect your computer...

Well, I can tell you from first-hand experience with at least half a dozen versions of their
software that their uninstaller sucks golf-balls through the garden hose...

Of course, I can say the same for Symantec, and don't really consider this at all accidental.
After all, most OEM PCs come with 3 month's to a year's free AV support, and Zeus help anyone
who decides they want to switch to a different AV pack

...no warez, no cracks, most software from distro repositories, single command to update all software = 90% of their market is gone. The last 10% are those that would stab themselves in the foot if you didn't give them a gun. Anti-virus companies live off people donwloading infected shit, unpatched software (either because they're lazy OR it'll break their cracked software) and the fact that anybody can setup a professionally looking website with malware. They say Linux is only free if your time is worthles

When you're a public company, and you release an annual report, you are required to list just about every possible risk to your company that you can think of. That way, potential shareholders who read the report and buy stock based on your good news are also exposed to the bad news at the same time.If your CEO is brilliant, you have to point out that he could die. If you have a gigantic data center, you have to point out that it could get hit by a missile. If you have obvious competitors, you have to poi

McAfee makes a virus scanner for Linux [mcafee.com]. Presumably the "on-demand" scanning uses a closed-source kernel module. Some kernel developers (i.e. copyright holders) assert that it violates the GPL to distribute closed-source kernel modules (although NVIDIA's and ATI's lawyers presumably disagree). This has never been tested in court. If one of the kernel copyright holders decided to litigate and won, then McAfee might have to stop selling their product, or significant alter it. Since there is a risk of this happening, they are required to disclose it to investors.

Because of this? There are much better reasons why not to buy McAfee products. Only recently they fucked up again by identifying commonly used JavaScript frameworks/libraries as being malware. Or missing various common malware, not to mention the resource hogs their products usually are.

While you may not have meant it, your comment pokes at another plausible reason for McAfee to dislike FOSS. After switching to Linux a ways back, I never even had a reason to buy McAfee products. Their business is dependent on vulnerable software for them to come in and protect; clearly any solid development model would be a threat to their wellbeing. It's not (just?) problems with FOSS software that bothers McAfee, it's FOSS's strengths, too.

Their business is dependent on vulnerable software for them to come in and protect

Yes, that's correct, and when GNU/Linux takes over the world and McAfee feels the need to diversify by building more products for it (be it antivirus or anything else), I am going to remember their FUD about GPL and make sure to keep them out of my shopping basket.

talking about an American election that you would have no say in if you were European

I am European, but I am also a citizen of the world, so I have an interest in every country's wellbeing. I don't want to visit the US because of Bush's empire-building, but if a new president returns America to its true values of its founding fathers, then I would be happy to go and do business in America.

About McAfee.. I use Debian, but my meaning was that if I ever find myself considering a McAfee product for any reason, then I will remember what they said about the GPL and act accordingly.

What would be foolish is not understanding the terms of the license. Apple ships Mac OSX with GPL components. Linksys and Asus (both after a slight spanking) ship products with GPL components. Even Dell does. The key is understanding the GPL, adhering to it and having a product that is beneficial beyond the GPL code base (notice that all three examples sell hardware... although with Apple their software is not dependent on GPL but rather benefits from it).

The GPL is already far less restrictive than most commercial licenses...Do you think Microsoft would sit idly by if someone took the windows source code that was leaked a couple of years back and created a derivative work? The leaked source could have proved beneficial to projects like Wine, Reactos and Samba etc, but they avoided it because it would be illegal. Given a reversed situation i doubt whether microsoft would behave in such a responsible and ethical manner, but despite their behaviour they do hav

Maybe I'm not thinking this through completely, so forgive my youthful ignorance..... but since when did OPEN SOURCE software NEED copyright protection features?

It is the other way around. A DRM implementation might find it useful to have code that implements AES, as an example, and there are open source implementations, so it would be useful to incorporate some well-tested AES code that is licensed under GPL into a DRM implementation.

That is perfectly legal to do, but it requires that the DRM implementation would be licensed under GPL, which means that anyone, including evil DRM crackers, would have access to the source code. If you can find a way to implement

And there's good reason for this. You don't necessarily know the provenance of the source code.Here's an example: I was doing evaluations of the two open source identification products available today (from Black Duck and Palamida), and I found an instance where it appeared that code that was originally released under the GPL had found it's way into code that was released under the Apache license. I did some due diligence on this, looking back in the repositories to see when the initial checkins had been